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Information Systems (IS) audits conducted by the Legislative Audit 
Division are designed to assess controls in an IS environment. 
IS controls provide assurance over the accuracy, reliability, and 
integrity of the information processed. From the audit work, 
a determination is made as to whether controls exist and are 
operating as designed. We conducted this IS audit in accordance 
with generally accepted government auditing standards. Those 
standards require that we plan and perform the audit to obtain 
sufficient, appropriate evidence to provide a reasonable basis for 
our findings and conclusions based on our audit objectives. We 
believe that the evidence obtained provides a reasonable basis for 
our finding and conclusions based on our audit objectives. 


Members of the IS audit staff hold degrees in disciplines appro- 
priate to the audit process. Areas of expertise include business, 
accounting, education, computer science, mathematics, political 
science, and public administration. 


IS audits are performed as stand-alone audits of IS controls or 
in conjunction with financial-compliance and/or performance 
audits conducted by the office. These audits are done under the 
oversight of the Legislative Audit Committee which is a bicameral 
and bipartisan standing committee of the Montana Legislature. 
The committee consists of six members of the Senate and six 
members of the House of Representatives. 
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‘The Legislative Audit Committee 
of the Montana State Legislature: 


We conducted an Information Systems audit of controls within the Automated 
Licensing System (ALS) at the Department of Fish, Wildlife and Parks (FWP). The 
focus of the audit was to: ensure specific ALS processing controls function as FWP 
management intends, ensure FWP controls changes to ALS, determine the implemen- 
tation status of prior audit recommendations (05DP-03), and determine why FWP 
does not have an up-to-date Disaster Recovery/Business Continuity plan. 


This report contains four recommendations for strengthening processing and change 
controls, and maintaining an up-to-date disaster recovery plan. 


We wish to express our appreciation to the Montana Department of Fish, Wildlife and 
Parks for their cooperation and assistance. 


Respectfully submitted, 
// Tori Hunthausen 


Tori Hunthausen, CPA 
Legislative Auditor 
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REPORT SUMMARY 


Department of Fish, and Wildlife and Parks 


The Automated Licensing System (ALS) facilitates the Department of Fish, Wildlife 
and Parks (FWP) hunting, fishing, and recreational license issuance process. ALS also 
aides FWP in conducting license drawings, supports administrative business functions 
related to licensing, and provides data which assists with the enforcement of hunting 
and fishing regulations. In fiscal year 2004, approximately $37 million in license fee 
revenue was processed through ALS. This has increased through fiscal year 2009 as 
license fee revenues processed through ALS reached just under $45.6 million. 


Considering hunting and fishing are important cultural aspects of life in Montana 
and license fees are an important source of operational revenues for FWP, it is essential 
ALS accurately process license revenue information (fees) and maintain the integrity 
of licensee information. Due to the reliance FWP places on ALS, we conducted audit 
work to address objectives related to processing controls, system change controls, and 
system availability. 


Information system processing controls ensure complete and accurate processing of 
data from input to output. Audit work was conducted to ensure specific ALS processing 
controls function as FWP management intends. Additionally, information systems are 
generally a dynamic and fluidly changing environment. Data can be modified and 
programming code updated to reflect the changing needs of an organization or to 
remediate flaws. We reviewed procedures in place to ensure FWP controls changes to 
ALS. Finally, agencies are responsible for maintaining information systems availability 
in the event of a disaster or major outage. To mitigate the damage resulting from 
disruptions, agencies need to implement a disaster recovery plan. Our audit reviewed 
why FWP does not maintain an up-to-date disaster recovery plan for ALS. 


Overall, we conclude ALS processing controls are functioning as management intends. 
However, we identified areas where FWP can improve controls around ALS including 
more effectively identifying deceased licensees, preventing and detecting unauthorized 
changes to programming code and database tables, and better preparing for the conti- 
nuity of licensing operations. This report discusses our findings and includes four 
recommendations for strengthening processing and change controls and maintaining 
an up-to-date disaster recovery plan. 
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Chapter | — Introduction and Background 


Introduction 


The Automated Licensing System (ALS) facilitates the Department of Fish, Wildlife 
and Parks (FWP) hunting, fishing, and recreational license issuance process. ALS also 
aides FWP in conducting license drawings, supports administrative business functions 
related to licensing, and provides data which assists with the enforcement of hunting 
and fishing regulations. 


ALS users include: 
¢ FWP employees and contractors who develop and administer ALS 


¢ internal FWP employees who issue licenses at FWP headquarters and 
regional offices 


* — external license retailers who issue licenses from business locations 


¢ members of the public who access ALS from the Internet through the 
eLicense Sales application 


ALS is a custom system developed by a third party vendor and FWP development staff. 
System implementation began in 2002 and was completed during 2004. ALS issues 
licenses and permits using point-of-sale (POS) terminals at license provider locations 
and FWP district offices, and through the Internet using the eLicense Sales application. 
Transaction information from both POS terminals and eLicense Sales is sent to ALS 
servers housed and maintained by the Department of Administration Information 
Technology Services Division (ITSD). Current efforts consist of enhancements to 
functionality and ongoing system maintenance performed by in-house staff. 


License fee revenues are an important source of funding for FWP operations. In fiscal 
year 2004, approximately $37 million in license fee revenue was processed through 
ALS. This has increased through fiscal year 2009 as license fee revenues processed 
through ALS reached just under $45.6 million. 


Audit Objectives 


Considering hunting and fishing are important cultural aspects of life in Montana 
and license fees are an important source of operational revenues for FWP, it is essential 
ALS accurately process license revenue information (fees) and maintain the integrity 
of licensee information. Due to the reliance FWP places on ALS, we conducted audit 
work to address the following objectives: 


¢ Ensure specific ALS processing controls function as FWP management 
intends. 
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¢ Ensure FWP controls changes to ALS. 


¢ Determine the implementation status of prior audit recommendations. 


(05DP-03) 


¢ Determine why FWP does not have a fully developed and tested Disaster 
Recovery/Business Continuity plan. 


Audit Scope and Methodology 


ALS provides diverse functionality for FWP leading to a relatively complex system. 
Adding to the complexity are fee and licensing changes brought about during legislative 
sessions and rule changes issued by the Fish, Wildlife and Parks Commission. In 2003 
and 2005, we conducted Information Systems audits of ALS. As a result, our audit 
addressed areas we had not previously reviewed, follow-up on prior areas of review and 


resulting recommendations, concerns identified during preliminary work. 


Testing ALS functionality and controls included a combination of interview of 
management and staff, review of agency documents, observation of ALS processes, 
and extraction and analysis of ALS data using a computer assisted audit tool. 


This audit was conducted in accordance with Government Auditing Standards 
published by the United States Government Accountability Office. We evaluated the 
control environment using state law and generally applicable and accepted government 
information technology standards established by the National Institute of Standards 
and Technology. 


Prior Audit Recommendations 


In the previous ALS audit report (05DP-03), we made two recommendations to 
FWP. Our recommendations addressed granting and monitoring access to ALS, and 
documenting procedures and training backup personnel for critical processes. 


We recommended the department develop and maintain written procedures for 
granting user access to ALS, and periodically review user access for appropriateness. 
The department has developed a written policy and formal procedures for granting 
user access to ALS. Individuals requesting access must complete an access request 
form which must be signed by their supervisor and approved by management. FWP 
hired an Information Technology Security Officer in November 2008 and the 
department is currently undergoing a process to review all user access across all FWP 
applications. The Information Technology Security Officer indicated once the review 
was completed, further reviews would be conducted on an annual basis. As a result, 


this recommendation is being implemented. 


We also recommended the department document procedures performed during the 
ALS license revenue collection process, and train backup personnel to perform duties 
in case of absence. The department has implemented this recommendation. 


Audit Overview 


Based on our work, we conclude ALS processing controls are functioning as 
management intends. However, we identified areas where FWP can improve controls 
around ALS including more effectively identifying deceased licensees, preventing 
and detecting unauthorized changes to programming code and database tables, 
and better preparing for the continuity of licensing operations by maintaining an 
up-to-date disaster recovery plan. The remainder of this report discusses our findings 


and recommendations. 
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Chapter II — Processing Controls 


Introduction 


Information system processing controls ensure complete and accurate processing 
of data from input to output. Examples include accuracy of data exchanged with 
other information systems, program scripts to ensure correct data format, and 
identifying individuals with suspended privileges. During our review, we identified 
several processing controls in the Automated Licensing System (ALS) important to 
Department of Fish, Wildlife and Parks (FWP) business processes for issuing hunting 
and fishing licenses and enforcing hunting and fishing laws. As a result, we conducted 
audit work to ensure specific ALS processing controls function as FWP management 
intends. 


Processing Controls 


During the planning stages of our audit, we identified five specific processing controls 
in ALS we had not previously audited or have been of particular interest to the public. 


The processing controls we reviewed were: 


¢ Seven Year Wait Licenses: A person who receives a moose, mountain goat, 
or limited mountain sheep license, with the exception of an antlerless moose 
or an adult ewe game management license, is not eligible to receive another 
special license for that species for the next seven years. 


¢ Social Security Numbers: For the purposes of enforcing the collection of 
child support, Title IV-D of the Social Security Act requires states to collect 
the Social Security Number (SSN) of all persons applying for a recreational 
license. The 2007 Legislature enacted restrictions on the collection of 


SSN’s. 


¢ Bonus Points: FWP uses a drawing process to award game licenses in limited 
license areas. An applicant who is unsuccessful in obtaining a license in 
their first preferred district earns a bonus point which can be used in later 
drawings. 


¢ Suspension of License Privileges: Individuals convicted of hunting or fishing 
violations can have their privilege to hunt or fish suspended for a period 
of time. FWP relies on suspension information provided by the Notice to 
Appear and Complaint (NTA) and Interstate Wildlife Violator Compact 
(IWVC) applications to prevent suspended individuals from obtaining 
licenses. 


¢ Deceased Licensees: Deceased individuals are identified within ALS by 
the individual’s record being manually “flagged”. Once the flag is set, ALS 
prevents the sale of any FWP issued licenses using the individual ALS 
record. 
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The following sections provide details of our findings. 


Seven Year Wait Licenses 


FWP relies on a table within ALS to monitor individuals who have received these 
license types and prevent the issuance of the same license for the required seven years. 
When a licensee receives a seven year wait license, the name of the licensee, their 
ALS number, the license type code, and the year the license was awarded are placed 
into the table. Should the licensee apply to purchase the same license type within the 
next seven years, a system edit would flag the exclusion and FWP could prevent the 
individual from entering the drawing. 


Audit work was conducted to determine if controls in ALS ensure the seven year wait 
period for specific licenses functions as required. We queried ALS to determine if any 
licensees had been able to purchase any of the license types requiring a seven year wait 
more than once in seven years. Our query did not identify any individuals purchasing 


two of the same seven year wait licenses within seven years. 


Social Security Numbers 


Prior to 2007, FWP requested the complete SSN of all individuals purchasing hunting 
or fishing licenses. During the 2007 Legislative Session, House Bill 450 was passed 
restricting FWP’s collection and storage of SSN’s to the last four digits. Audit work 
was performed to verify only the last four digits of licensee social security numbers are 
requested and maintained by ALS. 


After the passage of House Bill 450, FWP developed two new programming scripts: 
the first cut the existing SSN’s in ALS from nine digits down to four, and the second 
limited the number of digits accepted by ALS to four. We verified there are no SSN’s 
in ALS longer than four digits and observed the entry of new SSN’s to verify the 
system will not accept more than four digits. 


Bonus Points 


The idea behind the bonus point system is to provide all applicants at least one 
opportunity at drawing a license, while still giving those individuals who have been 
unsuccessful in the past a chance to increase their odds of drawing a license in the 
future. Each time an individual applies for a drawing, if they have bonus points 
available, they can pay a fee and apply their accumulated points to a drawing. 


Audit work was conducted to verify bonus points awarded to license applicants do not 
affect the randomness of license drawings. Essentially, bonus points act as an additional 


“ticket” in the drawings, but they have no effect on the randomness of the numbers 
drawn. ‘The process is similar to a lottery where the number of tickets an individual 
possesses has no bearing on the winning number drawn. During 2005, we tested the 
randomness of the license drawing process and determined the winner of drawings 
was random and the process has not changed since that time. 


Suspension of License Privileges 


Suspensions can be limited to certain species or can run the entire spectrum of licenses 
for hunting, fishing, or both. The NTA and IWVC applications contain information 
on individuals convicted of violating hunting and fishing laws both in Montana and 
other member states of the IW VC. Audit work was conducted to ensure the NTA and 
IWVC interfaces provide accurate suspension information to ALS. Through inter- 
views with FWP enforcement staff and observation of each interface, we were able to 
confirm suspension information is transferred to ALS. The data is maintained in the 
same table as the seven year wait information and license issuance is limited as previ- 
ously described. In the case of suspensions, the individuals remain in the table until 
the suspension period ends. 


Deceased Licensees 


Since deceased persons do not qualify for licensure, ALS must track deceased individuals 
to prevent license sales to any individual attempting to use a deceased individual’s 
ALS record. To determine the effectiveness of ALS deceased individual tracking, we 
developed a query to identify resident licensees who purchased hunting or fishing 
licenses for 2007 and 2008. Using a computer assisted audit tool, we compared the 
licensees against a list, provided by Montana’s Office of Vital Statistics, of individuals 
who died from 2004 through 2008. We identified 188 resident licensees in ALS who 
were shown as deceased on the list. None of these licenses were purchased after the 
date of death. Given we only reviewed ALS records for 2007 and 2008, there could be 
additional individuals who are deceased but remain eligible in ALS. 


In order to set the ALS deceased licensee flag, FWP relies on external processes; either 
relatives or friends of the deceased must contact the agency and inform them of the 
death of the licensee, or FWP staff calling for an annual survey must identify the 
deceased. These processes are not effective in identifying and flagging all deceased 
licensees in ALS as evidenced by the results of our query. Accounts for deceased 
licensees who remain eligible in ALS could be used to purchase licenses. Agency 
management indicated no process to check for deceased licensees was ever included 
during the business requirement definition stages for ALS, and no automated process 
to identify deceased licensees has been developed since the inception of ALS. 
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Duplicate Records 


When a retailer searches ALS to determine if an individual already has an account, and 
the account is flagged as deceased, they receive the same message they would receive if 
the individual does not exist in ALS. The normal process would then be to establish a 
new ALS account. ALS does not automatically perform a real-time duplicate records 
check at the time this new account is created. Additionally, it does not lock the first 
name, last name, and date of birth combination, preventing the use of the same name 
and date of birth for a new record. A duplicate check is only performed once per year 
using a manual process. These factors could allow an individual to make use of the 
personal information of a deceased individual to create a duplicate ALS account. 


While we did not identify any purchases after the date of death using deceased 
licensees ALS accounts, the possibility exists. Montana law allows a resident to apply 
for and purchase a wildlife conservation license, hunting license, or fishing license 
for the resident’s spouse, parent, child, brother, or sister who is otherwise qualified 
to obtain the license. Should an individual possess the required identification of a 
deceased relative, and the relative was not flagged as deceased, there would be nothing 
to prevent the individual from purchasing a license using the deceased’s ALS account. 
Additionally, individuals committing identity theft could purchase a license using a 
deceased individual’s identification. 


Conclusion 


Based on our audit work, we conclude specific ALS processing controls we reviewed 
function as management intends; however, the identification and flagging of deceased 
licensees within ALS could be strengthened. FWP should develop a more effective 
process to identify and flag deceased licensees in ALS. It is our understanding the 
Department of Public Health and Human Services, Office of Vital Statistics, has 
experience working with other agencies in developing a direct interface with other 
applications. 


RECOMMENDATION #1 


We recommend the Department of Fish, Wildlife and Parks: 


A. Develop a routine process to compare Automated Licensing System 
resident licensees against death records maintained by the Department 
of Public Health and Human Services, Office of Vital Statistics, and 
automatically flag licensees who match deceased records. 


am 


Establish a control to check for duplicate records to help prevent the 
sale of licenses to individuals flagged as deceased in the Automated 
Licensing System. 


Dr 


Chapter III - Change Control 


Introduction 


Information systems are generally a dynamic and fluidly changing environment. Data 
can be modified and programming code updated to reflect the changing needs of 
an organization or to remediate flaws. However, because there are risks associated 
with any programming or data changes, an organization should try to mitigate risks 
by controlling changes. This occurs through a process called change control which 
manages changes from the initial request to full implementation. The National 
Institute of Standards and Technology (NIST) provides guidance to organizations 
for managing information systems. With regard to change control, NIST states “The 
organization authorizes, documents, and controls changes to the information system.” 
We reviewed procedures in place for the Automated Licensing System (ALS) to ensure 


the Department of Fish, Wildlife and Parks (FWP) controls changes to ALS. 


Data Changes 


Changes made to data by going directly to database tables without using an application’s 
developed software are “back end” changes. These changes are generally made when 
the use of an application, such as changing information in a person lookup/update 
screen, cannot correct a piece of data. FWP programmers can make back end changes 
to data contained in ALS tables. Management stated that, while rare, these types of 
changes do occur in ALS. 


To track data changes, ALS records who makes a change to a row of information in a 
“last updated” field for each row in a table. The last updated field records all changes 
made through the back end, the application, and any changes resulting from a batch 
process potentially producing thousands of changes per day. Most ALS tables do not 
record full update histories, only the most recent change. However, FWP management 
stated there are a number of tables they have identified as critical to ALS functionality 
which record a full history of changes. FWP does not monitor these histories for 
inappropriate or unauthorized back end data changes. 


Individuals allowed to make unmonitored data changes through the back end could 
manipulate critical data within ALS without authorization. Such manipulation could 
result in events such as unauthorized individuals obtaining licenses or permits or 
unauthorized redirection of funds. 


The ALS database is comprised of over 300 individual tables. Many of those tables 
contain thousands of individual rows; one specific table contains millions of individual 
rows. Agency management stated it is difficult and time consuming to monitor all 
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data changes. No process exists to screen through the changes made to the tables by 
all users. FWP management expressed they were unaware of any features which would 
allow them to isolate changes made by individual users through the back end and 
provide a means to review those changes in a timely manner. However, we are aware of 
another agency using the same database software as ALS that has developed a report 
which isolates users who have made changes to tables through the back end. 


Conclusion 


Based on our audit work, we conclude FWP is not properly controlling changes to 
data made through the back end of the ALS. Given that another agency has developed 
a process to monitor back end data changes, FWP should be able to develop a similar 
report. In addition, costs should not be excessive for FWP to implement a similar 
process. 


RECOMMENDATION #2 


In order to ensure unauthorized or inappropriate back end data changes are 
not being made, we recommend the Department of Fish, Wildlife and Parks: 


A. Develop a report within the Automated Licensing System to isolate 
changes made by staff with back end data access. 


w 


Routinely monitor report contents to determine if inappropriate or 
unauthorized back end data changes are being made. 


TT 


Programming Changes 


Changes made to the underlying code dictating the functionality of an information 
system are programming changes. Such changes are generally performed by 
programmers to enhance the system or fix programming errors (commonly referred 
to as “bugs”). Between 2006 and 2009, FWP recorded 430 enhancements and 
687 bug fixes to ALS. Many of the enhancements were considered minor by agency 
management and included changes to field sizes and the addition of a table. One 
significant enhancement was the addition of a new user interface for retailers and 
regional offices using ALS to issue licenses. Many of the bug fixes were associated with 
the implementation of the new user interface. 


FWP stated they employ a three step process for controlling and monitoring 
programming changes to ALS: 


¢ Tracking programming and data change requests. 


¢ Using a subversion library. 


¢ Managing the migration of programming code to the production 
environment. 


Each of these steps is considered a programming change control. Audit work focused 
on verifying FWP follows these change control procedures. The following sections 
discuss each of the change control steps. 


Tracker 


FWP employs a separate computer application, called Tracker, to approve and monitor 
the progress of changes to ALS. Requests for enhancements and bug fixes are placed 
in Tracker by the requester. Requests are reviewed by management, approved/denied, 
prioritized, and assigned to a programmer. In Tracker, the programmer can review the 
request, record their progress, and ask questions among other abilities. The requester 
and management can follow the progress of the request and Tracker sends an e-mail 
when the status of the request changes. When the programming change is ready to 
be tested, the requester is notified. Once user acceptance testing is completed and 
signed off in Tracker by the requester, the change can be migrated to the production 
environment. 


Subversion 


Programmers assigned to make changes to ALS programming code access a working 
copy of the code from the ALS Subversion library. As described by the original 
Subversion developers: 
“Subversion is a free/open source version control system. That is, Subversion 
manages files and directories, and the changes made to them, over time. This 


allows you to recover older versions of your data or examine the history of 
how your data changed. In this regard, many people think of a version control 


2» 


system as a sort of ‘time machine’. 


Once a programmer has completed a code change, they are to follow a “check in” process 
to place the code back into Subversion, recording who, when, and what was changed. 
When the process is followed, FWP can return to Subversion should something not 
work correctly and be able to determine what was changed and by whom. The check in 
should occur prior to migration of the new code into the production version of ALS. 


Migration 


All ALS servers are housed and maintained by the Department of Administration 
Information Technology Services Division (ITSD) under an agreement with FWP. 
The services provided by ITSD include maintaining ALS production code. FWP 
programmers have the ability to view the production version of the code; however, they 
do not have the ability to modify the code directly. Migration is the process of moving 
new programming code from development into the production version of ALS. 
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FWP currently has a primary migration coordinator and one primary backup. The 
coordinator records all requests for migration by logging each request in a spreadsheet. 
Once logged, the file containing the code is sent to ITSD with a request to migrate it 
to production. 


Effectiveness of Controls 


FWP has ALS change control procedures in place. However, as shown in Figure 1, 
procedures do not have to be followed to get code into production, thus reducing the 
effectiveness of existing controls. 


Figure 1 
FWP Programming Change Controls 


Control Process 
Step 1 Step 2 Step 3 


Request 


New Code Code into 
Approval Check In To ITSD Production 


Renee 
Code Not 

Limited 

May Not 
Check Into 
Subversion 


May Not 


Use Tracker 
Tracker 


Verification 
Not 
Performed 


Source: Compiled by the Legislative Audit Division from information obtained from the Department of 
Fish, Wildlife and Parks. 


During our review, we noted not all change control procedures were required in policy. 
FWP implemented a new written policy requiring all Application Development Bureau 
staff to use the Tracker application. Because all programming and back end changes 
go through the Bureau, management believes this should address all changes to ALS. 
Although the use of Tracker is mandated in policy, individuals could still fail to follow 
its required use. An individual could either intentionally or unintentionally fail to log 
a programming or data change into Tracker. 


Similar to Tracker, an individual may not follow the Subversion check in policy, 
unintentionally or otherwise, and not check in the code prior to migration. Once 
the new code has been migrated to production, should a programmer not return 
the working copy of the new code to Subversion, there would be no record of who 
changed what and when. As with the two previous steps, the migration process, which 
is not in policy, could be forgotten or skipped. Should the migration coordinator and 
their backup be unavailable, three other FWP programmers have rights for migration. 
‘Thus, any of the five programmers can transfer ALS programming code to ITSD and 
request migration to production. 


Management indicated they rely on the effectiveness of Tracker to monitor changes, 
and staff to follow Subversion and migration procedures. While we agree change 
control procedures are in place, they relate to individual steps in the process and do 
not work in combination with each other. For example, the migration coordinator is 
not currently required to check Tracker to ensure a change was approved, tested, and 
signed off by the requester. Additionally, FWP has an application capable of checking 
the production code on a line by line basis against the Subversion copy to identify 
differences. Any differences between the two is reported via e-mail to all members of 
the Application Development Bureau for follow up, thus strengthening the ability to 
detect unauthorized code changes. However, this process has not been implemented 


for ALS. 


The existing control configuration allows a programmer to develop code (with or 
without a request), not record it in Tracker, not check it back into the Subversion 
library, and have it migrated into production, without following any of the change 
control procedures in place. Strengthening the change control process should improve 
overall effectiveness. 
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RECOMMENDATION #3 


We recommend the Department of Fish, Wildlife and Parks strengthen 
existing change controls by: 


A. 


oO of 


D. 


Establishing formal, written policies requiring use of existing change 
control procedures. 


Further limiting rights for migration. 


Requiring verification of approval and acceptance of programming 
changes prior to migration. 


Implementing Subversion code check. 


OT 


Chapter IV — System Availability 


Introduction 


Agencies are responsible for maintaining information systems availability in the event 
of a disaster or major outage. There are a diverse set of outages which could occur, 
resulting in the loss of systems functionality. Montana has experienced a variety of 
natural disasters in history including earthquakes, wildfires, and floods. However, 
disruptions are not limited to natural events and can include human caused events 
such as denial of service attacks, viruses, programming errors, or sabotage. 


To mitigate the damage resulting from major and minor disruptions, agencies need 
to implement a disaster recovery plan. Specifically, the organization should develop 
policies, plans, and procedures to regain access to data, workspace, lines of communi- 
cation, and critical business processes. Once the agency has developed a plan, it should 
be tested for effectiveness on a regular basis. The results of tests should be documented 
and any necessary changes should be made to the plan. Additionally, the organization 
should develop plans for application dependent operations to continue in the interim 
while the information system is being recovered. 


Disaster Recovery Plan 


The Automated Licensing System (ALS) is critical to issuing licenses and enforcement 
of regulations for hunting and fishing; any system outage may result in a loss of ability 
to issue licenses and thus generate revenue, and an overall inconvenience to sportsmen 
and women. Although management is aware of the need for a disaster recovery plan 
and consider it a critical element for ALS, the Department of Fish, Wildlife and Parks 
(FWP) does not maintain an up-to-date disaster recovery plan for ALS. Additionally, 
FWP has not completed any internal disaster recovery testing on ALS. 


Montana statute requires agency directors to implement appropriate cost-effective 
safeguards to reduce, eliminate, or recover from identified threats to data (§2-15- 
104(3), MCA). Additionally, the Service Level Agreement (SLA) between FWP and 
the Department of Administration, Information Technology Services Division (ITSD) 
requires FWP to have a disaster recovery plan in place. In addition, the National 
Institute of Standards and Technology (NIST) provides additional guidance stating, 
“The organization develops and implements a contingency plan for the information 
system addressing contingency roles, responsibilities, assigned individuals with contact 
information, and activities associated with restoring the system after a disruption or 
failure.” ITSD Incident Response policy requires agencies to follow the guidelines set 
forth in NIST. Incident response is often associated with, and should be a part of, 
disaster recovery planning. 
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Management indicated there was some level of assurance that, should an event occur, 
ITSD would be able to fully recover ALS. However, ITSD is responsible for restoring 
the underlying hardware and software for ALS and loading the backup data only. The 
agreement between ITSD and FWP places the responsibility for testing the application 
and ensuring the accuracy of the data with FWP. 


Under the current circumstances, FWP may not be able to fully restore ALS in the 
event of a disaster which either partially or completely disables ALS. Without an 
up-to-date disaster recovery plan, FWP does not have details on staff assignments, 
critical infrastructure, time frames, priorities, etc. ITSD has tested its disaster recovery 
plan and has been unable to fully restore all aspects of ALS. While each occurrence 
was a result of a documentation failure, the tests provide evidence of the difficulties 
of restoring information systems after a disaster, and demonstrate the need to fully 
document and maintain all aspects of a disaster recovery plan. 


According to FWP management, in the interim of recovery, they could fall back on 
issuing licenses via paper. However, without an up-to-date disaster recovery plan, the 
agency does not have details on the processes required to move to issuing paper licenses. 
For example, the length of ALS downtime which will trigger the paper licensing process 
is not detailed in a formal plan; nor is the potential loss of paper license inventory data, 
such as the number of paper licenses available and their locations. Also, many retailers 
and their employees may no longer be properly trained on issuing licenses through 
the paper method. Additionally, many of the ALS functions, including verification of 
eligibility to purchase licenses, may be lost in the event of a disaster. For example, ALS 
monitors purchasing history and interfaces with other outside agency applications to 
determine residency and legal status of license applicants. These factors could result in 
a slowing of the licensing process. FWP relies on an automated application to perform 
drawings for specific tags and the loss of ALS could result in the inability of the agency 
to perform the drawings, at least in a timely manner. Each of these factors could result 
in negative public relations and a loss of revenue for FWP. ‘This is especially true in 
the case of ALS since license revenue accounted for $45.6 million in agency revenues 
during fiscal year 2009. 


Although there can be significant costs associated with maintaining an up-to-date 
disaster recovery plan, the cost of attempting to recover missing data, purchasing 
new hardware, and other unplanned operations will be far more excessive. Given the 
mission of FWP, the agency is not at risk of being permanently unable to recover; 
however, there will be additional costs and loss of revenue when attempting to recover 
downed and damaged operations without an effective plan. 


NS 


RECOMMENDATION #4 


We recommend the Department of Fish, Wildlife and Parks maintain an up-to- 
date disaster recovery plan for restoration of the Automated Licensing System 
in the event of a disruption. 


Dr 
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DEPARTMENT OF FISH, 
WILDLIFE AND PARKS 


DEPARTMENT RESPONSE 


) Wildlife Q Parks ” 


P.O. Box 200701 
Helena, MT 59620-0701 
(406) 444-3186 

FAX: 406-444-4952 
Ref: DO0443-09 
November 2, 2009 


Ms. Tori Hunthausen RECEIVED 


Legislative Auditor 
State Capitol — Rm 160 NOV @ 2 2009 
Helena MT 59620-1705 


Dear Ms. dunharea Lov i 


Montana Fish, Wildlife & Parks’ (FWP) is in receipt and has reviewed the 2009 audit report issued on 
the Automated Licensing System (ALS), FWP’s responses to the four recommendations, with 
subcategories, follow. For convenience, we have excerpted each recommendation, and placed the 
department’s response following each recommendation. 


LEGISLATIVE AUDIT DIV. 


Recommendation #1 
We recommend the Department of Fish, Wildlife & Parks: 


1A. Develop a routine process to compare Automated Licensing System resident licensees 
against death records maintained by the Department of Public Health and Human 
Services, Office of Vital Statistics, and automatically flag licensees who match deceased 
records. 


FWP Response: 


Concur. 


FWP’s Technology Services staff have already begun working with Department of Health and Human 
Services (DPHHS) staff to implement this recommendation, and a signed memorandum of 
understanding (MOU) now exists. Even though no incorrect use of a deceased individual’s ALS record 
was identified in the years examined, and the effort to implement this interface may exceed factual 
savings or return, FWP agrees it is prudent to make reasonable attempts to avoid invalid use of a 
deceased individual’s record. FWP anticipates this interface being implemented within the current fiscal 
year. It should be noted there are still several limitations with the recommended process: 
e DPHHS has a lag time in their records, so “time” for invalid use of each involved record will still 
exist. 
e FWP has been told that residents who die out-of-state likely will not have records included in 
the DPHHS system. This will limit the effectiveness of such an interface and process. 
e There may be times when the accuracy of a positive match between the two systems is 
questionable, based on the available criteria. In some cases, FWP may choose not to flag a 
record rather than run the possibility of flagging the wrong record. 


A-4 


1B. Establish a control to check for duplicate records to help prevent the sale of licenses to 
individuals flagged as deceased in the Automated Licensing System. 


FWP Response: 
Concur. 


As described in the audit report, the possible creation of duplicate records would have been the result of 
a misleading error message. That error message has been changed to minimize or eliminate the 
possibility of the system misleading the clerk toward the establishment of a new record when the 
original had been marked as that of someone deceased. However, FWP has chosen to not place the 
private business in a role of “enforcer”. If the license buyer is adamant about their identity and has the 
appropriate identification, a record is to be created with any necessary cleanup of duplicates anticipated 
at a later date. As explained to the auditor during interviews, the current system design and construction 
already attempts to display “possible” matches to a clerk when any new record is being created. This 
covers all customers and all new record creation. Agent handbooks, and training, instruct clerks to 
verify whether presented “‘possibles” are or are not the individual standing in front of the counter. In 
doing so, the clerk may identify the correct existing record and not create a duplicate. If the clerk does 
not take the time and effort to perform the verification, a second (or duplicate) record could be created 
for the individual. Additional processes developed, and annually performed by FWP Licensing staff, are 
designed to merge or consolidate duplicate records that do end up being created for customers. 


Recommendation #2 
In order to ensure unauthorized or inappropriate back end data changes are not being made, we 
recommend the Department of Fish, Wildlife & Parks: 


2A. Develop a report within the Automated Licensing System to isolate changes made by 
staff with back end data access. 


FWP Response: 
Concur. 


Currently, all “back-end” changes noted as a concern by the Legislative Audit Division (LAD) already 
contain the ID of the individual who made the data change, as well as the date and time of the change. 
FWP Technology Services staff clearly understand that purposeful unauthorized or inappropriate 
changes to ALS data can result in termination, and even be career ending. FWP has a formal policy 
pertaining to back-end changes, with staff aware of the steps they are anticipated to take to document 
any changes they may be making. However, FWP agrees it is still prudent to monitor data changes to 
allow recovery or correction if something were inadvertently changed in error, as well as verify that 
policy is being followed for all other changes. FWP has been provided with a technical contact within 
the “other agency”, and over the course of the upcoming year will work closely and cooperatively to 
minimize any re-invention or duplication of processes within state government, and to the extent 
possible put processes in place to provide regular reports of such back-end changes. It is possible that 
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the other agency’s technical situation is, in fact, not “apples to apples” with FWP’s technical situation, 
and therefore not applicable, but FWP will investigate the possibility, and work toward ultimately 
finding a comprehensive solution. 


2B. Routinely monitor report contents to determine if inappropriate or unauthorized back 
end data changes are being made. 


FWP Response: 
Concur. 


FWP data base administrators (DBAs) already perform several “monitoring” efforts related to “FWP 
hosted” databases. A complication for ALS efforts have been limits in what the Department of 
Administration, Information Technology Services Division (ITSD) will authorize as access roles for 
FWP DBAs. Once a routine or regular report exists for all back end changes of data, held in ALS on 
ITSD equipment, FWP DBAs will review the reports on a regular basis and inquire where and as 
appropriate to ensure no changes of concern are made. 


Recommendation #3 
We recommend the Department of Fish, Wildlife & Parks strengthen existing change controls by: 


3A. Establishing formal, written policies requiring use of existing change control 
procedures. 


FWP Response: 
Concur. 


FWP currently has formal policies related to request submission and tracking (Tracker), and code 
storage and version control (Subversion). Technology Services staff know what is expected, and that 
disciplinary action ‘“‘could” occur if the designated steps are not followed. However, it is true that 
current change control procedures ‘“‘could” be sidestepped to get changes in production. To strengthen 
existing controls, and intending to ensure that existing policy is followed, FWP will formally document 
and communicate those steps in written policy, with the same consequence. This over-arching policy is 
anticipated to be in place before the calendar year’s end. 


3B. Further limiting rights for migration. 
FWP Response: 
Concur. 


FWP currently limits migration rights to those 5 technical staff members that are identified with 
“primary” support responsibilities for ALS. Existing authority levels were chosen in an attempt to 
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balance resources, risk and responsiveness. FWP understands and accepts the risks involved with our 
decisions. As alluded to by the LAD, there are times when scheduled and/or unscheduled absences can 
result in instances where a single migration coordinator, and backup, is not sufficient to ensure that a 
migration that is critical or sensitive to FWP’s customers can be performed as necessary. Waiting for 
the availability of such staff is simply not an acceptable option at many points in FWP’s business cycle 
because of the possible volume of customers negatively impacted, or critical deadlines involved. FWP 
will further examine this issue to identify whether a yet smaller number of employees are possible as 
backup to ensure that all schedules may be covered. This will likely include adding designated backup 
staff during times when “scheduled” absences are anticipated, and revoking those authorities when the 
initial employee returns. 


ac. Requiring verification of approval and user acceptance of programming changes prior 
to migration. 


FWP Response: 
Concur, 


In addition to formally documenting, in policy, a requirement to follow change control policies, FWP 
will include within the same policy that staff responsible for migrations are also responsible to ensure 
that appropriate steps have been taken (Tracker, Subversion, and any other appropriate approval) prior to 
migration. FWP Technical Services management will perform periodic review of migration 
documentation to ensure that policy is being followed. 


3D. Implementing Subversion code check. 
FWP Response: 
Concur. 


Code check currently is in place for database “structure” changes. Code check is not currently 
implemented for “application software”. FWP had already intended, and will implement for smaller 
internal applications to ensure it works properly, and then will include ALS software in the same 
process. While FWP will move forward as quickly as possible, it will likely be in the next fiscal year 
before this recommendation is completely implemented. 


Recommendation #4 

We recommend the Department of Fish, Wildlife & Parks maintain an up-to-date disaster 
recovery plan (DRP) for restoration of the Automated Licensing System in the event of a 
disruption. 


FWP Response: 


Concur, with qualifications. 
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Under the initial contract for ALS construction, a DRP related to non-ITSD responsibilities for ALS was 
produced and delivered. At this point in time it is dated and in need of revision, as suggested by the 
LAD. The majority of FWP ALS “recovery” actions or testing efforts, are subsequent to and rely on the 
actual existence of ALS infrastructure and data, which is hosted and provided for by ITSD. With 
several failed attempts over the years, ITSD has never recovered ALS to the point where FWP efforts 
could begin. These failures have severely challenged FWP’s ability to exercise, validate or revise the 
DRP delivered by the contractor, test a “recovered” application, or validate “recovered” data through 
previously defined and documented testing scenarios. As so aptly noted within this report, disasters can 
occur in many forms and places, and the type and location of disaster is very pertinent to the action 
required for FWP recovery, or action. It is true that specific details should be formally documented to 
allow and ensure a smooth transition back to a paper based system, if necessary, and with approximately 
100 years of experience with a paper based process, FWP is confident those details can be adequately 
documented. Most challenges would be of an internal administrative nature as opposed to those 
affecting FWP’s customers. Prior to this report, FWP recognized the risks and limits posed by the 
current DRP, and it contributed to a decision in 2008 to focus the FWP Security Officer position on 
Continuity of (technology) Operations. This individual has been working on developing consistent and 
comprehensive DRPs, and security procedures, for all FWP technology related systems and services. 
Recent efforts include planning, and upcoming training with ITSD for utilization of the state enterprise’s 
Living Disaster Recovery Planning System (LDRPS). As hinted to within this report, there is much 
work yet to be done. FWP is in complete agreement and will continue to move forward on development 
of a current and up-to-date DRP for ALS, and all FWP technology, and will attempt to perform regular 
recovery exercises to the greatest extent possible, regardless of ITSD’s future ability to recover the data 
and infrastructure as promised and paid for within the ITSD/FWP SLA. It is expected that an initial up- 
to-date plan can be developed by calendar year 2010 end, with ongoing testing and evolution 
anticipated. 


FWP does recognize the benefits of the LAD recommendations and will strive to implement in as timely 
a manner as is possible. Thank you for the opportunity to comment. 


Sincerely, 


Joe Mauner 
Director 
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